background image

Chapter 22 System Password

ZyXEL NWA-3500 User’s Guide

230

Summary of Contents for NWA-3500

Page 1: ...www zyxel com NWA 3500 802 11a b g Wireless Access Point User s Guide Version 3 60 3 2007 Edition 1 ...

Page 2: ......

Page 3: ...ht away It contains information on setting up your network and configuring for Internet access Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following a...

Page 4: ... stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click Mai...

Page 5: ...ide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ...

Page 6: ...the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from ...

Page 7: ...Safety Warnings ZyXEL NWA 3500 User s Guide 7 ...

Page 8: ...Safety Warnings ZyXEL NWA 3500 User s Guide 8 ...

Page 9: ...SSID and SSID 119 Other Wireless Configuration 127 IP Screen 137 Rogue AP 141 Remote Management Screens 147 Internal RADIUS Server 157 Certificates 163 Log Screens 181 VLAN 187 Maintenance 205 SMT and Troubleshooting 215 Introducing the SMT 217 General Setup 223 LAN Setup 225 SNMP Configuration 227 System Password 229 System Information and Diagnosis 231 Firmware and Configuration File Maintenance...

Page 10: ...Contents Overview ZyXEL NWA 3500 User s Guide 10 ...

Page 11: ...e ZyXEL Device 33 1 2 1 Access Point 34 1 2 2 Bridge Repeater 34 1 2 3 AP Bridge 35 1 2 4 MBSSID 36 1 2 5 Pre Configured SSID Profiles 37 1 2 6 Configuring Dual WLAN Adaptors 38 1 3 Ways to Manage the ZyXEL Device 38 1 4 Good Habits for Managing the ZyXEL Device 39 1 5 Hardware Connections 39 1 6 LEDs 40 Chapter 2 Introducing the Web Configurator 43 2 1 Accessing the Web Configurator 43 2 2 Resett...

Page 12: ...2 Set up Layer 2 Isolation 62 4 2 3 3 Activate the Guest Profile 63 4 2 4 Testing the Wireless Networks 63 4 3 How to Set Up and Use Rogue AP Detection 64 4 3 1 Set Up and Save a Friendly AP list 66 4 3 2 Activate Periodic Rogue AP Detection 68 4 3 3 Set Up E mail Logs 69 4 3 4 Configure Your Other Access Points 70 4 3 5 Test the Setup 70 4 4 Using Multiple MAC Filters and L 2 Isolation Profiles 7...

Page 13: ...TC WMM from WLAN to LAN 91 6 3 4 Type Of Service ToS 91 6 3 4 1 DiffServ 91 6 3 4 2 DSCP and Per Hop Behavior 91 6 3 5 ToS Type of Service and WMM QoS 92 6 4 Spanning Tree Protocol STP 92 6 4 1 Rapid STP 92 6 4 2 STP Terminology 93 6 4 3 How STP Works 93 6 4 4 STP Port States 94 6 5 DFS 94 6 6 Wireless Screen Overview 94 6 7 Configuring Wireless Settings 95 6 7 1 Access Point Mode 95 6 7 2 Bridge ...

Page 14: ...A PSK WPA2 PSK WPA2 PSK MIX 115 7 10 Introduction to RADIUS 116 7 11 Configuring RADIUS 116 Chapter 8 MBSSID and SSID 119 8 1 Wireless LAN Infrastructures 119 8 1 1 MBSSID 119 8 1 2 Notes on Multiple BSS 119 8 1 3 Multiple BSS Example 119 8 1 4 Multiple BSS with VLAN Example 119 8 1 5 Configuring Multiple BSSs 120 8 2 SSID 122 8 2 1 The SSID Screen 122 8 2 2 Configuring SSID 123 Chapter 9 Other Wi...

Page 15: ... Chapter 12 Remote Management Screens 147 12 1 Remote Management Overview 147 12 1 1 Remote Management Limitations 147 12 1 2 System Timeout 147 12 2 Configuring Telnet 148 12 3 Configuring FTP 149 12 4 Configuring WWW 150 12 5 SNMP 151 12 5 1 Supported MIBs 152 12 5 2 SNMP Traps 153 12 6 SNMP Traps 153 12 6 1 Configuring SNMP 154 Chapter 13 Internal RADIUS Server 157 13 1 Internal RADIUS Overview...

Page 16: ... 2 Configuring Log Settings 182 15 3 Example Log Messages 184 15 4 Log Commands 185 15 4 1 Configuring What You Want the ZyXEL Device to Log 185 15 4 2 Displaying Logs 186 15 5 Log Command Example 186 Chapter 16 VLAN 187 16 1 VLAN 187 16 1 1 Management VLAN ID 187 16 1 2 VLAN Tagging 187 16 2 Configuring VLAN 188 16 2 1 Wireless VLAN 188 16 2 2 RADIUS VLAN 190 16 2 3 Configuring Management VLAN Ex...

Page 17: ...ng the SMT via the Console Port 217 18 2 1 Initial Screen 217 18 2 2 Entering the Password 218 18 3 Connect to your ZyXEL Device Using Telnet 219 18 4 Changing the System Password 219 18 5 SMT Menu Overview Example 220 18 6 Navigating the SMT Interface 220 18 6 1 System Management Terminal Interface Summary 222 Chapter 19 General Setup 223 19 1 General Setup 223 19 1 1 Procedure To Configure Menu ...

Page 18: ...ration 240 24 3 1 Using the FTP command from the DOS Prompt Example 240 24 3 2 TFTP File Upload 241 24 3 3 Example TFTP Command 242 Chapter 25 System Maintenance and Information 243 25 1 Command Interpreter Mode 243 25 1 1 Command Syntax 244 25 1 2 Command Usage 244 25 1 3 Brute Force Password Guessing Protection 244 25 1 3 1 Configuring Brute Force Password Guessing Protection Example 244 25 2 Ti...

Page 19: ...oE Specifications 259 Appendix C Power Adaptor Specifications 261 Appendix D Setting up Your Computer s IP Address 263 Appendix E Wireless LANs 275 Appendix F Pop up Windows JavaScripts and Java Permissions 289 Appendix G IP Addresses and Subnetting 295 Appendix H Text File Based Auto Configuration 303 Appendix I Legal Information 311 Appendix J Customer Support 315 Index 319 ...

Page 20: ...Table of Contents ZyXEL NWA 3500 User s Guide 20 ...

Page 21: ...t 58 Figure 18 Tutorial VoIP Security 59 Figure 19 Tutorial VoIP Security Profile Edit 59 Figure 20 Tutorial VoIP Security Updated 60 Figure 21 Tutorial Activate VoIP Profile 60 Figure 22 Tutorial Guest Edit 61 Figure 23 Tutorial Guest Security Profile Edit 61 Figure 24 Tutorial Guest Security Updated 62 Figure 25 Tutorial Layer 2 Isolation 62 Figure 26 Tutorial Layer 2 Isolation Profile 63 Figure...

Page 22: ...6 Figure 57 WPA 2 with RADIUS Application Example 107 Figure 58 Wireless Security 109 Figure 59 WIRELESS Security WEP 110 Figure 60 Security 802 1x Only 111 Figure 61 Security 802 1x Static 64 bit 802 1x Static 128 bit 112 Figure 62 Security WPA 113 Figure 63 Security WPA2 or WPA2 MIX 114 Figure 64 Security WPA PSK WPA2 PSK or WPA2 PSK MIX 115 Figure 65 RADIUS 116 Figure 66 Multiple BSS with VLAN ...

Page 23: ...ate 169 Figure 101 My Certificate Details 172 Figure 102 Trusted CAs 174 Figure 103 Trusted CA Import 176 Figure 104 Trusted CA Details 177 Figure 105 View Log 181 Figure 106 Log Settings 182 Figure 107 WIRELESS VLAN 189 Figure 108 RADIUS VLAN 190 Figure 109 Management VLAN Configuration Example 192 Figure 110 VLAN Aware Switch Static VLAN 192 Figure 111 VLAN Aware Switch 192 Figure 112 VLAN Aware...

Page 24: ...Screen 218 Figure 145 Password Screen 219 Figure 146 Login Screen 219 Figure 147 Menu 23 1 System Password 220 Figure 148 SMT Main Menu 221 Figure 149 Menu 1 General Setup 223 Figure 150 Menu 3 LAN Setup 225 Figure 151 Menu 3 2 TCP IP Setup 225 Figure 152 Menu 22 SNMP Configuration 227 Figure 153 Menu 23 System Security 229 Figure 154 Menu 24 System Maintenance 231 Figure 155 Menu 24 1 System Main...

Page 25: ...unication in an Ad hoc Network 275 Figure 183 Basic Service Set 276 Figure 184 Infrastructure WLAN 277 Figure 185 RTS CTS 278 Figure 186 WPA 2 with RADIUS Application Example 285 Figure 187 WPA 2 PSK Authentication 286 Figure 188 Pop up Blocker 289 Figure 189 Internet Options Privacy 290 Figure 190 Internet Options Privacy 291 Figure 191 Pop up Blocker Settings 291 Figure 192 Internet Options Secu...

Page 26: ...List of Figures ZyXEL NWA 3500 User s Guide 26 ...

Page 27: ...r Priorities 90 Table 17 ATC WMM Priority Assignment LAN to WLAN 91 Table 18 ATC WMM Priority Assignment WLAN to LAN 91 Table 19 ToS and IEEE 802 1d to WMM QoS Priority Level Mapping 92 Table 20 STP Path Costs 93 Table 21 STP Port States 94 Table 22 Wireless Access Point 95 Table 23 Wireless Bridge Repeater 99 Table 24 Security Modes 107 Table 25 Wireless Security Levels 108 Table 26 WIRELESS Secu...

Page 28: ...le 55 Trusted Users 162 Table 56 My Certificates 166 Table 57 My Certificate Import 168 Table 58 My Certificate Create 169 Table 59 My Certificate Details 172 Table 60 Trusted CAs 175 Table 61 Trusted CA Import 176 Table 62 Trusted CA Details 177 Table 63 View Log 181 Table 64 Log Settings 183 Table 65 System Maintenance Logs 184 Table 66 ICMP Notes 184 Table 67 Sys log 185 Table 68 Log Categories...

Page 29: ...rt Pin Assignments 259 Table 97 North American Plug Standards 261 Table 98 European Plug Standards 261 Table 99 United Kingdom Plug Standards 261 Table 100 Australia and New Zealand Plug Standards 261 Table 101 IEEE 802 11g 279 Table 102 Wireless Security Levels 280 Table 103 Comparison of EAP Authentication Types 283 Table 104 Wireless Security Relational Matrix 286 Table 105 Subnet Masks 296 Tab...

Page 30: ...List of Tables ZyXEL NWA 3500 User s Guide 30 ...

Page 31: ...31 PART I Introduction Introducing the ZyXEL Device 33 Introducing the Web Configurator 43 Status Screens 47 Tutorial 51 ...

Page 32: ...32 ...

Page 33: ...ent types of security to groups of users The ZyXEL Device controls network access with MAC address filtering rogue AP detection layer 2 isolation and an internal authentication server It also provides a high level of network traffic security supporting IEEE 802 1x Wi Fi Protected Access WPA WPA2 and WEP data encryption Your ZyXEL Device is easy to install configure and use The embedded Web based c...

Page 34: ...can communicate with B at the same time A ZyXEL Device in repeater mode C has no Ethernet connection When the ZyXEL Device is in bridge mode you should enable STP to prevent bridge loops When the ZyXEL Device is in Bridge Repeater mode security between APs the Wireless Distribution System or WDS is independent of the security between the wireless stations and the AP If you do not enable WDS securi...

Page 35: ...ucing the ZyXEL Device ZyXEL NWA 3500 User s Guide 35 Figure 2 Bridge Application Figure 3 Repeater Application 1 2 3 AP Bridge In AP Bridge mode the ZyXEL Device supports both AP and bridge connection at the same time ...

Page 36: ...P Bridge Application 1 2 4 MBSSID A BSS Basic Service Set is the set of devices forming a single wireless network usually an access point and one or more wireless clients An SSID Service Set IDentifier is the name of a BSS In MBSSID Multiple BSS mode the ZyXEL Device provides multiple virtual APs each forming its own BSS and using its own individual SSID profile You can configure up to sixteen SSI...

Page 37: ...ltiple BSSs 1 2 5 Pre Configured SSID Profiles The ZyXEL Device has two pre configured SSID profiles 1 VoIP_SSID This profile is intended for use by wireless clients requiring the highest QoS Quality of Service level for VoIP Voice over IP telephony and other applications requiring low latency The QoS level of this profile is not user configurable See Section 6 3 1 on page 89 for more information ...

Page 38: ... access the wired network Figure 6 Dual WLAN Adaptors Example 1 3 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device Web Configurator This is recommended for everyday management of the ZyXEL Device using a supported web browser Command Line Interface Line commands are mostly used for troubleshooting by service engineers SMT System Management Terminal is a t...

Page 39: ...ng an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the ZyXEL Device to its factory default settings If you backed up an earlier configuration file you won t have to totally re configure the ZyXEL Device you can simply restore your last configuration 1 5 Hardware Connections See your Quick Start Guide f...

Page 40: ... s Guide 40 1 6 LEDs Figure 7 LEDs Table 1 LEDs LABEL LED COLOR STATUS DESCRIPTION 1 WL1 Green On The wireless adaptor WLAN1 is active Blinking The wireless adaptor WLAN1 is active and transmitting or receiving data Off The wireless adaptor WLAN1 is not active ...

Page 41: ...reless adaptor WLAN2 is not active 4 ZyAIR Blue On The ZyXEL Device is receiving power You can turn the ZyAIR LED off and on using the Web configurator See Section 6 7 1 on page 95 Blinking The ZyXEL Device is receiving power and transmitting data to or receiving data from its wireless stations Off Either The ZyXEL Device is not receiving power or The ZyAIR LED has been disabled See Section 6 7 1 ...

Page 42: ...Chapter 1 Introducing the ZyXEL Device ZyXEL NWA 3500 User s Guide 42 ...

Page 43: ...t to the ZyXEL Device refer to the Quick Start Guide 2 Launch your web browser 3 Type 192 168 1 2 as the URL default 4 Type 1234 default as the password and click Login In some versions the default password appears automatically if this is the case click Login 5 You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm ...

Page 44: ...ails about the Status screen The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyXEL Device if this happens 2 2 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator you will need to use the RESET button This replaces the current configurati...

Page 45: ...or more information 2 3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Status screen Click LOGOUT at any time to exit the web configurator Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated Figure 10 The Status Screen of the Web Configurator Click the links on the left...

Page 46: ... Guide 46 Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware files Maintenance features include Status Statistics Association List Channel Usage F W firmware Upload Configuration Backup Restore and Default and Restart ...

Page 47: ...igation menu Use the Status screens to look at the current status of the device system resources interfaces and SSID status The Status screen also provides detailed information about associated wireless clients channel usage logs and detected rogue APs 3 1 The Status Screen Cluck Status The following screen displays Figure 11 The Status Screen ...

Page 48: ...mode in the Wireless Wireless screen Management VLAN This field displays the management VLAN ID if VLAN is active or Disabled if it is not active You can enable or disable VLAN or change the management VLAN ID in the VLAN Wireless VLAN screen IP This field displays the current IP address of the ZyXEL Device on the network LAN MAC This displays the MAC Media Access Control address of the ZyXEL Devi...

Page 49: ... s wireless interfaces WLAN1 and WLAN2 SSID This field displays each of the SSIDs currently used by each wireless module BSSID This field displays the MAC address of the wireless adaptor Security This field displays the type of wireless security used by each SSID VLAN This field displays the VLAN ID of each SSID in use or Disabled if the SSID does not use VLAN System Status Show Statistics Click t...

Page 50: ...Chapter 3 Status Screens ZyXEL NWA 3500 User s Guide 50 ...

Page 51: ... when other APs access your wired Ethernet network through the ZyXEL Device The ZyXEL Device is a repeater when it has no Ethernet connection and allows other APs to communicate with one another through the ZyXEL Device Use AP Bridge operating mode if you want to use the ZyXEL Device as an access point see above while also communicating with other access points See Section 1 2 3 on page 35 for det...

Page 52: ...wing figure shows the steps you should take to configure the wireless settings according to the operating mode you select Use the Web Configurator to set up your ZyXEL Device s wireless network see your Quick Start Guide for information on setting up your ZyXEL Device and accessing the Web Configurator ...

Page 53: ...er optional Select 802 11 Mode and Channel ID Configure WDS Security Select 802 11 Mode and Channel ID Configure WDS Security Select SSID Profile Configure SSID Profile Edit Security Profile Configure RADIUS authentication optional Configure internal AUTH SERVER optional Configure Layer 2 Isolation optional Configure MAC Filter optional Select 802 11 Mode and Channel ID Select SSID Profiles Config...

Page 54: ...L Device as an access point for your office network See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode Now your network is expanding and you want to make use of the MBSSID feature see Section 8 1 on page 119 to provide multiple wireless networks Each wireless network will cater for a different type of user You want to make three wireless networks one...

Page 55: ...ure these settings you need to know the MAC Media Access Control addresses of the devices you want to allow users of the guest network to access The following table shows the addresses used in this example 4 2 1 Change the Operating Mode Log in to the ZyXEL Device see Section 2 1 on page 43 Click WIRELESS Wireless The Wireless screen appears In this example the ZyXEL Device is using WLAN adaptor 1...

Page 56: ...ng Mode drop down list box The screen displays as follows Figure 15 Tutorial Wireless LAN Change Mode This Select SSID Profile table allows you to activate or deactivate SSID profiles Your wireless network was previously using the SSID04 profile so select SSID04 in one of the Profile list boxes number 3 in this example ...

Page 57: ...RELESS SSID The following screen displays Note that the SSID04 SSID profile the standard network is using the security01 security profile You cannot change this security profile without changing the standard network s parameters so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles Figure 16 Tutorial WIRELESS SSID The Voice over IP V...

Page 58: ...rk so there is no need to broadcast the SSID to wireless clients scanning the area The standard network SSID04 is currently using the security01 profile so use a different profile for the VoIP network If you used the security01 profile anyone who could access the standard network could access the VoIP wireless network Select security02 from the Security field Leave all the other fields at their de...

Page 59: ...y Profile Edit Change the Name field to VoIP_Security to make it easier to remember and identify In this example you do not have a RADIUS server for authentication so select WPA2 PSK in the Security Mode field WPA2 PSK provides strong security that anyone with a compatible wireless client can use once they know the pre shared key PSK Enter the PSK you want to use in your network in the Pre Shared ...

Page 60: ...cross the wireless network 4 2 3 Configure the Guest Network When you are setting up the wireless network for guests to your office your primary concern is to keep your network secure while allowing access to certain resources such as a network printer or the Internet For this reason the pre configured Guest_SSID profile has layer 2 isolation and intra BSS traffic blocking enabled by default Layer...

Page 61: ...using the security01 profile and the VoIP network is using the security02 profile renamed VoIP_Security so select the security03 profile from the Security field Leave all the other fields at their defaults and click Apply 4 2 3 1 Set Up Security for the Guest Profile Now you need to configure the security settings to use on the guest wireless network Click the Security tab You already chose to use...

Page 62: ...n the Pre Shared Key field In this example the PSK is ThisismyGuestWPApre sharedkey Click Apply The WIRELESS Security screen displays Ensure that the Profile Name for entry 3 displays Guest_Security and that the Security Mode is WPA PSK Figure 24 Tutorial Guest Security Updated 4 2 3 2 Set up Layer 2 Isolation Configure layer 2 isolation to control the specific devices you want the users on your g...

Page 63: ... Select SSID Profile table select the check box for the Guest_SSID profile and click Apply Figure 27 Tutorial Activate Guest Profile Your Guest wireless network is now ready to use 4 2 4 Testing the Wireless Networks To make sure that the three networks are correctly configured do the following On a computer with a wireless client scan for access points You should see the Guest_SSID network but no...

Page 64: ...Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the ZyXEL Device A rogue AP is a wireless access point operating in a network s coverage area that is not a sanctioned part of that network The example also shows how to set the ZyXEL Device to send out e mail alerts whenever it detects a rogue wireless access point See Chapter 11 on page 141 fo...

Page 65: ... Devices in this example you will need to use the information in the following table You need the IP addresses of your APs to access their Web configurators and you need the MAC address of each AP to configure the friendly AP list You need the IP address of the mail server to set up e mail alerts Table 4 Tutorial Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point A 192 168 1 1...

Page 66: ...ss points 5 Test the setup 4 3 1 Set Up and Save a Friendly AP list Take the following steps to set up and save a list of access points you want to allow in your network s coverage area 1 On a computer connected to the wired network F in the previous figure open your Internet browser and enter the URL of access point A 192 168 1 1 Login to the Web configurator and click ROGUE AP Friendly AP The fo...

Page 67: ...work s security The Friendly AP screen now appears as follows Figure 30 Tutorial Friendly AP After Data Entry 3 Next you will save the list of friendly APs in order to provide a backup and upload it to your other access points Click the Configuration tab The following screen appears Figure 31 Tutorial Configuration 4 Click Export If a window similar to the following appears click Save ...

Page 68: ... on the network file server E in Figure 28 on page 65 The default filename is Flist Figure 33 Tutorial Save Friendly AP list 4 3 2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your ZyXEL Devices 1 In the ROGUE AP Configuration screen select Yes from the Activate Rogue AP Period Detection field Figure 34 Tutorial Periodic Rogue AP Dete...

Page 69: ...g message to your e mail inbox whenever a rogue AP is discovered in your wireless network s coverage area 1 Click LOGS Log Settings The following screen appears Figure 35 Tutorial Log Settings In this example your mail server s IP address is 192 168 1 25 Enter this IP address in the Mail Server field Enter a subject line for the alert e mails in the Mail Subject field Choose a subject that is eye ...

Page 70: ...m ALERT_Access_Point_B etc 4 3 5 Test the Setup Next test your setup to ensure it is correctly configured Log into each AP s Web configurator and click ROGUE AP Rogue AP Click Refresh If any of the MAC addresses from Table 5 on page 66 appear in the list the friendly AP function may be incorrectly configured check the ROGUE AP Friendly AP screen If any entries appear in the rogue AP list that are ...

Page 71: ...ata You have two secure servers 1 and 2 in the following figure Wireless user Alice A needs to access server 1 but should not access server 2 and wireless user Bob B needs to access server 2 but should not access server 1 Your ZyXEL Device is marked Z C is a workstation on your wired network D is your main network switch and E is the security gateway you use to connect to the Internet Figure 36 Tu...

Page 72: ...r settings and test the configuration To configure layer 2 isolation you need to know the MAC addresses of the devices on your network which are as follows To configure MAC filtering you need to know the MAC addresses of the devices Alice and Bob use to connect to the network which are as follows Table 6 Tutorial SSID Profile Security Settings SSID Profile Name SERVER_1 SERVER_2 SSID SSID_S1 SSID_...

Page 73: ...lice alone and then configure layer 2 isolation to allow her to access only the network router the file server and the Internet security gateway Take the following steps to configure the SERVER_1 network 1 Log into the ZyXEL Device s Web Configurator and click WIRELESS SSID The following screen displays showing the SSID profiles you already configured Figure 37 Tutorial SSID Profile 2 Select SERVE...

Page 74: ...t 1 s entry Enter server 1 s MAC Address and add a Description SERVER_1 in this case in Set 2 s entry Change the Profile Name to L 2 ISO_SERVER_1 and click Apply You have restricted users on the SERVER_1 network to access only the devices with the MAC addresses you entered 4 Click the MAC Filter tab When the MAC Filter screen appears select macfilter03 s entry and click Edit Enter the MAC address ...

Page 75: ...he procedure in Section 4 4 4 on page 73 substituting the following information Table 9 Tutorial SERVER_2 Network Information SSID Screen Index 4 Profile Name SERVER_2 SSID Edit SERVER_2 Screen L2 Isolation L2Isolation04 MAC Filtering macfilter04 Layer 2 Isolation L2Isolation04 Screen Profile Name L 2 ISO_SERVER 2 Set 1 MAC Address 77 66 55 44 33 22 Description NET_ROUTER Set 2 MAC Address 99 88 7...

Page 76: ...SID profiles are selected and activated as shown in the following figure Figure 41 Tutorial SSID Profiles Activated 2 Next click the SSID tab Check that each configured SSID profile uses the correct Security Layer 2 Isolation and MAC Filter profiles as shown in the following figure Figure 42 Tutorial SSID Tab Correct Settings V If the settings are not as shown follow the steps in the relevant sect...

Page 77: ...g Bob s computer and wireless client and the correct security settings do the following Attempt to access Server 2 You should be able to do so Attempt to access the Internet You should be able to do so Attempt to access Server 1 You should be unable to do so If you can do so layer 2 isolation is misconfigured Using Bob s computer and wireless client and incorrect security settings attempt to assoc...

Page 78: ...Chapter 4 Tutorial ZyXEL NWA 3500 User s Guide 78 ...

Page 79: ...reless Configuration 87 Wireless Security Configuration 103 MBSSID and SSID 119 Other Wireless Configuration 127 IP Screen 137 Rogue AP 141 Remote Management Screens 147 Internal RADIUS Server 157 Certificates 163 Log Screens 181 VLAN 187 Maintenance 205 ...

Page 80: ...80 ...

Page 81: ...o 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Domain Name This is not a required field Leave this field blank or enter the domain name here if you know it Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or SMT can be left idle before the session times out The default is 5 minutes After it...

Page 82: ... of how you configure this screen you still use the local system password to log in via the console port not available on all models First DNS Server Second DNS Server Third DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server information and the ZyXEL Device s Ethernet IP address The field to the right displays the read only DNS server IP address that the DHCP assigns Se...

Page 83: ...ype Retype to Confirm Retype your new system password for confirmation Enable Admin on RADIUS Select this and configure the other fields in this section to have a RADIUS server authenticate management logins to the ZyXEL Device Use old setting Select this to have a RADIUS server authenticate management logins to the ZyXEL Device using the RADIUS username and password already configured on the devi...

Page 84: ...IUS server that is to authenticate management logins to the ZyXEL Device The ZyXEL Device tests the user name and password against the RADIUS server when you apply your settings The user name and password must already be configured in the RADIUS server You must already have a RADIUS profile configured for the RADIUS server see Section 7 11 on page 116 The server must be set to Active in the profil...

Page 85: ...riod from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving The at field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the...

Page 86: ... specified When the ZyXEL Device uses the pre defined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the ZyXEL Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP time servers have been tried Apply Click Apply to save your changes Reset Click R...

Page 87: ...communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network and communicate with each other When Intra BSS traffic blocking is enabled wireless station A and B can sti...

Page 88: ... called a Distribution System DS An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate Figure 47 Extended Service Set 6 2 Wireless LAN Basics See the Wireless LANs Appendix for information on the following Wireless LAN Topologies Channel RTS CTS Fragmentation Threshold I...

Page 89: ...riority levels that the ZyXEL Device uses 6 3 2 ATC Automatic Traffic Classifier ATC is a bandwidth management tool that prioritizes data packets sent across the network ATC assigns each packet a priority and then queues the packet accordingly Packets assigned a high priority are processed more quickly than those with low priority if there is congestion allowing time sensitive applications to flow...

Page 90: ... WMM function prioritizes all packets transmitted onto the wireless network using WMM QoS and prioritizes all packets transmitted onto the wired network using ATC See Section 8 2 2 on page 123 for details of how to configure ATC WMM Use the ATC WMM function if you want to do the following enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already...

Page 91: ...d traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced ...

Page 92: ...e communicating must both set the DSCP value in order to make the best use of WMM QoS A Voice over IP VoIP device for example may allow you to define the DSCP value The following table lists which WMM QoS priority level the ZyXEL Device uses for specific DSCP values 6 4 Spanning Tree Protocol STP STP detects and breaks network loops and provides backup links between switches bridges or routers It ...

Page 93: ...it enables the root port and the ports that are the designated ports for connected LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible network loops STP aware bridges exchange Bridge Protocol Data Units BPDUs periodically When the bridged LAN topology changes a new spanning tree is constructed Once a ...

Page 94: ...umes communications on the new channel 6 6 Wireless Screen Overview The following is a list of the wireless screens you can configure on the ZyXEL Device 1 Configure the ZyXEL Device to operate in AP AP Bridge Bridge Repeater or MBSSID mode in the Wireless screen You can also select an SSID Profile in the Wireless screen 2 Use the SSID screens to view and edit SSID profiles 3 Use the Security scre...

Page 95: ...vices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select 802 11b g to allow both IEEE802 11b and IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate...

Page 96: ...ect an SSID Profile from the drop down list box Configure SSID profiles in the SSID screen see Section 8 2 on page 122 for information on configuring SSID Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change th...

Page 97: ...hen both ZyXEL Devices are in Bridge Repeater mode they form a WDS Wireless Distribution System allowing the computers in LAN 1 to connect to the computers in LAN 2 Figure 50 Bridging Example Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device Bridge loops cause broadcast traffic to circle the network endlessly resulting in possible throughput degradation and disruption o...

Page 98: ... bridge that is also connected to the same wired LAN Figure 52 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN To have the ZyXEL Device act as a wireless bridge only click WIRELESS Wireless and select Bridge Repeater ...

Page 99: ... The transmission rate of your ZyXEL Device might be reduced Select 802 11a to allow only IEEE 802 11a compliant WLAN devices to associate with the ZyXEL Device Choose Channel ID Set the operating frequency channel depending on your particular region To manually set the ZyXEL Device to use a channel select a channel from the drop down list box Click MAINTENANCE and then the Channel Usage tab to op...

Page 100: ...h access point can use a different pre shared key Configure WDS security and the relevant PSK in each of your other access point s Note Other APs must use the same encryption method to enable WDS security TKIP ZyAIR Series Compatible Select this to enable Temporal Key Integrity Protocol TKIP security on your WDS This option is compatible with other ZyXEL access points that support WDS security Use...

Page 101: ...y See the section on applications for more information Figure 54 Wireless AP Bridge See the tables describing the fields in the Access Point and Bridge Repeater operating modes for descriptions of the fields in this screen 6 7 4 MBSSID Mode Select MBSSID as the Operating Mode to display the screen Refer to Chapter 8 on page 119 for configuration and detailed information See Chapter 7 on page 103 f...

Page 102: ...Chapter 6 Wireless Configuration ZyXEL NWA 3500 User s Guide 102 ...

Page 103: ...A 2 aware wireless clients but no RADIUS server If you don t have WPA 2 aware wireless clients then use WEP key encrypting A higher bit key offers better security You can manually enter 64 bit 128 bit or 152 bit WEP keys 7 1 2 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices Allow Association or exclude them from accessing the AP Deny Assoc...

Page 104: ...he ZyXEL Device supports EAP TLS EAP TTLS EAP MD5 and PEAP with RADIUS Refer to the Types of EAP Authentication appendix for descriptions on the common types The following figure shows an overview of authentication when you specify a RADIUS server on your access point Figure 55 EAP Authentication The details below provide a general description of how IEEE 802 1x EAP authentication works For an exa...

Page 105: ...encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and...

Page 106: ...erver its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordi...

Page 107: ...n 802 1x Static64 Select this to use 802 1x authentication with a static 64bit WEP key and an authentication server 802 1x Static128 Select this to use 802 1x authentication with a static 128bit WEP key and an authentication server WPA Select this to use WPA WPA PSK Select this to use WPA with a pre shared key WPA2 Select this to use WPA2 WPA2 MIX Select this to use either WPA2 or WPA depending on...

Page 108: ...P key exchange It requires interaction with a RADIUS Remote Authentication Dial In User Service server either on the WAN or your LAN to provide authentication service for wireless stations If you do not enable any wireless security on your ZyXEL Device your network is accessible to any wireless networking device within range 7 9 Configuring Security The following screens are configurable only in A...

Page 109: ...ct WEP in the Security Mode field to display the following screen Table 26 WIRELESS Security LABEL DESCRIPTION Index This is the index number of the security profile Profile Name This field displays a name given to a security profile in the Security configuration screen Security Mode This field displays the security mode this security profile uses Edit Select an entry from the list and click Edit ...

Page 110: ...drop down list box The default setting is Auto ASCII Select this option to enter ASCII characters as the WEP keys Hex Select this option to enter hexadecimal characters as the WEP keys The preceding 0x is entered automatically Key 1 to Key 4 The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission If you chose 64 bit WEP ...

Page 111: ...o resend user names and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnect...

Page 112: ...ta from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations The preceding 0x is entered automatically You must configure all four keys but only one key can be activated at any one time The default key is key 1 ReAuthentication Timer Specify how often wireless stations have to resend user name...

Page 113: ... 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the user name and password again before access to the wired network is all...

Page 114: ...y Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients The re keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK mode The ZyXEL Device s default is 1800 seconds 30 minutes PMK Cache When a wirel...

Page 115: ... and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Alternatively enter 0 to turn reauthentication off Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless statio...

Page 116: ...ADIUS Use RADIUS if you want to authenticate wireless users using the internal authentication server see Section 13 1 on page 157 or an external server You can configure up to four RADIUS server profiles Each profile also has one backup authentication server and a backup accounting server These profiles can be assigned to an SSID profile in the SSID configuration screen To set up your ZyXEL Device...

Page 117: ...the external authentication server in dotted decimal notation This field is not available when you select Internal RADIUS Server Port Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so This field is not available when you select Internal Share Secret Enter a password up ...

Page 118: ...Chapter 7 Wireless Security Configuration ZyXEL NWA 3500 User s Guide 118 ...

Page 119: ...to associate with the same AP 8 1 2 Notes on Multiple BSS A maximum of eight BSSs are allowed on one AP simultaneously You must use different WEP keys for different BSSs If two stations have different BSSIDs they are in different BSSs but have the same WEP keys they may hear each other s communications but not communicate with each other MBSSID should not replace but rather be used in conjunction ...

Page 120: ...500 User s Guide 120 Figure 66 Multiple BSS with VLAN Example 8 1 5 Configuring Multiple BSSs Click WIRELESS Wireless and select MBSSID in the Operating Mode drop down list box to display the screen as shown Figure 67 Wireless Multiple BSS ...

Page 121: ...is button to have the ZyXEL Device automatically select the wireless channel with the lowest interference RTS CTS Threshold The threshold number of bytes for enabling RTS CTS handshake Data with a frame size larger than this value will perform the RTS CTS handshake Setting this attribute to be larger than the maximum MSDU MAC service data unit size turns off the RTS CTS handshake Setting this attr...

Page 122: ... known as the ZyAIR LED The blue ZyAIR LED is on when the ZyXEL Device is on and blinks or breathes when data is being transmitted to from its wireless stations Clear the check box to turn this LED off even when the ZyXEL Device is on and data is being transmitted received Enable Spanning Tree Control STP R STP detects and breaks network loops and provides backup links between switches bridges or ...

Page 123: ...s which security profile is currently associated with each SSID profile See Section 7 9 on page 108 for more information RADIUS This field displays which RADIUS profile is currently associated with each SSID profile if you have a RADIUS server configured QoS This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile Layer 2 Isolation This fiel...

Page 124: ...een Table 36 Configuring SSID LABEL DESCRIPTION Profile Name Enter a name identifying this profile SSID When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Hide Name SSID Select Disable if you want the ZyXEL Device to broadcast this SSID a wireless client scanning for an AP will find this SSID Alternatively select Enab...

Page 125: ...3 3 on page 90 for more information on ATC WMM If you select WMM_VOICE WMM_VIDEO WMM_BEST_EFFORT or WMM_BACKGROUND the ZyXEL Device applies that QoS setting to all of that SSID s traffic If you select NONE the ZyXEL Device applies no priority to traffic on this SSID Note When you configure an SSID profile s QoS settings the ZyXEL Device applies the same QoS setting to all of the profile s traffic ...

Page 126: ...Chapter 8 MBSSID and SSID ZyXEL NWA 3500 User s Guide 126 ...

Page 127: ... clients APs computers or routers in a network In the following example layer 2 isolation is enabled on the ZyXEL Device Z in the figure to allow a guest wireless client A to access the main network router B The router provides access to the Internet C and the network printer D while preventing the client from accessing other computers and servers on the network The client can communicate with oth...

Page 128: ...blocked from communicating with the ZyXEL Device s wireless clients except for broadcast packets Layer 2 isolation does not check the traffic between wireless clients that are associated with the same AP Intra BSS Traffic allows wireless clients associated with the same AP to communicate with each other 9 2 The Layer 2 Isolation Screen Click WIRELESS Layer 2 Isolation The screen appears as shown n...

Page 129: ...layer 2 isolation is enabled you need to know the MAC address of each wireless client AP computer or router that you want to allow to communicate with the ZyXEL Device s wireless clients Table 37 WIRELESS Layer 2 Isolation LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a layer 2 isolation profile in the Layer 2 Isolation Configura...

Page 130: ...s of a wireless client AP computer or router A wireless client associated with the ZyXEL Device can communicate with another wireless client AP computer or router only if the MAC addresses of those devices are listed in this table Set This is the index number of the MAC address MAC Address Type the MAC addresses of the wireless client AP computer or router that you want to allow the associated wir...

Page 131: ...e server C but not access point B or wireless client 3 Enter C s MAC address in the MAC Address field and enter File Server C in the Description field Figure 74 Layer 2 Isolation Example 1 9 3 1 2 Layer 2 Isolation Example 2 In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3 Enter the server s and your ZyXEL Device s MA...

Page 132: ...ue MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of each device to configure MAC filtering on the ZyXEL Device The MAC filter profile is a user configured list of MAC addresses Each SSID profile can reference one MAC filter profile The ZyXEL Device provid...

Page 133: ...ilter settings click WIRELESS MAC Filter Edit The screen appears as shown Figure 77 MAC Address Filter Table 39 WIRELESS MAC Filter LABEL DESCRIPTION Index This is the index number of the profile Profile Name This field displays the name given to a MAC filter profile in the MAC Filter Configuration screen Edit Select an entry from the list and click Edit to configure settings for that profile ...

Page 134: ... access points on the LAN about the change An example is shown in Figure 78 on page 135 With roaming a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas Wireless sta...

Page 135: ... 1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas 1 All the access points must be on the same subnet and configured with the same ESSID 2 If IEEE 802 1x user authentication is enabled and to be done locally on the access point the new access point must have the user profile for the wireless station 3 The adjacent ac...

Page 136: ...Chapter 9 Other Wireless Configuration ZyXEL NWA 3500 User s Guide 136 Figure 79 Roaming Select the Roaming Active check box and click Apply ...

Page 137: ...your two branch offices for instance you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks You can obtain your IP address from the IANA from an ISP or have it assigned by a private network If you belong to a small organization and your Internet acce...

Page 138: ...m a DHCP server each time Note You must know the IP address assigned to the ZyXEL Device by the DHCP server to access the ZyXEL Device again Use fixed IP address Select this option if your ZyXEL Device is using a static IP address When you select this option fill in the fields below IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Note If you change the ZyXEL Device ...

Page 139: ...Chapter 10 IP Screen ZyXEL NWA 3500 User s Guide 139 Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh Table 42 IP Setup LABEL DESCRIPTION ...

Page 140: ...Chapter 10 IP Screen ZyXEL NWA 3500 User s Guide 140 ...

Page 141: ...scan reveals a rogue AP you can use commercially available software to physically locate it Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker In this case any AP detected can be classified as rogue 11 2 Rogue AP Examples In the following example a corporate network s security is compromised by a rogue AP R set u...

Page 142: ...ents A and B who attempt to connect This is known as a honeypot attack If a rogue AP in this scenario has sufficient power and is broadcasting the correct SSID Service Set IDentifier clients have no way of knowing that they are not associating with a legitimate company AP The attacker can forward network traffic from associated clients to a legitimate AP creating the impression of normal service T...

Page 143: ...as any others that you know are not a threat those from neighboring networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points You can choose to scan for rogue APs manually or to have the ZyXEL Device scan automatically at pre defined intervals You can also set the ZyXEL Device to email you immed...

Page 144: ...detection on You must also enter a time value in the Period field Select No to turn rogue AP detection off Period min Enter the period you want the ZyXEL Device to wait between scanning for rogue APs between 10 and 60 minutes You must also select Yes in the Active Rogue AP Period Detection field Friendly AP List Export Click this button to save the current list of friendly APs MAC addresses and de...

Page 145: ...ress Enter the MAC address of the AP you wish to add to the list Description Enter a short explanatory description identifying the AP with a maximum of 32 alphanumeric characters Spaces underscores _ and dashes are allowed Add Click this button to include the AP in the list Friendly AP List This is the list of safe wireless access points you have already configured This is the index number of the ...

Page 146: ...isplays the Service Set IDentifier also known as the network name of the AP Channel This field displays the wireless channel the AP is currently using Security This field displays the type of wireless encryption the AP is currently using Description If you want to move the AP s entry to the friendly AP list enter a short explanatory description identifying the AP before you click Add to Friendly A...

Page 147: ...re as follows 1 Telnet 2 HTTP 12 1 1 Remote Management Limitations Remote management over LAN or WLAN will not work when 1 You have disabled that service in one of the remote management screens 2 The IP address in the Secured Client IP field does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately 3 There is already another remote managemen...

Page 148: ...le 47 Remote Management Telnet LABEL DESCRIPTION TELNET Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyXEL Device using Telnet Secured Client IP Address A secured client is a trusted computer that is a...

Page 149: ...use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyXEL Device using SSH Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose S...

Page 150: ...ized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Table 48 Remote Management FTP LABEL DESCRIPTION Table 49 Remote Management WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyXEL Device will use to identify itself The ZyXEL Device is the SSL server and must always authenticate itself to the SSL client the computer wh...

Page 151: ...or access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface s Secured Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address t...

Page 152: ...collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager...

Page 153: ... set requirements with the wrong community password Note snmpEnableAuthenTraps OID 1 3 6 1 2 1 11 30 defined in RFC 1214 and RFC 1907 must be enabled on in order for the device to send authenticationFailure traps Use a MIB browser to enable or disable snmpEnableAuthenTraps Traps defined in the ZyXEL Private MIB whyReboot 1 3 6 1 4 1 890 1 5 13 0 1 This trap is sent with the reason for restarting b...

Page 154: ...lic and allows all requests Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for r...

Page 155: ...ement Screens ZyXEL NWA 3500 User s Guide 155 Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Table 52 Remote Management SNMP LABEL DESCRIPTION ...

Page 156: ...Chapter 12 Remote Management Screens ZyXEL NWA 3500 User s Guide 156 ...

Page 157: ...n the types of EAP authentication and the internal RADIUS authentication method used in your ZyXEL Device Use the AUTH SERVER Setting screen to turn the ZyAIR s internal RADIUS server off or on and to view information about the ZyXEL Device s certificates Use the AUTH SERVER Trusted AP screen to specify APs as trusted Trusted APs can use the ZyAIR s internal RADIUS server to authenticate wireless ...

Page 158: ...have the ZyXEL Device use its internal RADIUS server to authenticate wireless clients or other APs This field displays the certificate index number The certificates are listed in alphabetical order Use the CERTIFICATES screens to manage certificates The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client The exact certificate used depends ...

Page 159: ...splays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department orga...

Page 160: ...es and passwords in the Trusted Users database to use a trusted AP as a relay between the ZyXEL Device s internal RADIUS server and the wireless clients The wireless clients can then be authenticated by the ZyXEL Device s internal RADIUS server 13 4 Configuring Trusted AP To specify trusted APs click the AUTH SERVER link under ADVANCED and then the Trusted AP tab The screen appears as shown ZyXEL ...

Page 161: ...ce use the IP Address and Shared Secret to authenticate a trusted AP IP Address Type the IP address of the trusted AP in dotted decimal notation Shared Secret Enter a password up to 31 alphanumeric characters no spaces as the key for encrypting communications between the AP and the ZyXEL Device The key is not sent over the network This key must be the same on the AP and the ZyXEL Device Both the Z...

Page 162: ...the user name for this user account This name can be up to 31 alphanumeric characters long including spaces The wireless client s utility must use this name as its login name Password Type a password up to 31 ASCII characters for this user profile Note that as you type a password the screen displays a for each character you type The password on the wireless client s utility must be the same as thi...

Page 163: ...in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and uses Tim s public key to decrypt it 5 Additionall...

Page 164: ... to transmit private keys 14 2 Self signed Certificates You can have the ZyXEL Device act as a certification authority and sign its own certificates 14 3 Verifying a Certificate Before you import a trusted CA certificate into the ZyXEL Device you should verify that you have the actual certificate This is especially important since the ZyXEL Device also trusts any valid certificate signed by any of...

Page 165: ...ction 14 4 Configuration Summary This section summarizes how to manage certificates Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyXEL Devices CA signed certificates Use the Trusted CA screens to save CA certificates to the ZyXEL Device 14 5 My Certificates Click CERTIFICATES My Certificates to open the ZyXEL Device s summa...

Page 166: ...ame used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace th...

Page 167: ...k the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one or more features is configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN SSH are configured to use the SELF certificate 2 Click the details ic...

Page 168: ...ication request that was generated by the ZyXEL Device The certificate you import replaces the corresponding request in the My Certificates screen You must remove any spaces from the certificate s filename before you can import it Figure 99 My Certificate Import The following table describes the labels in this screen Table 57 My Certificate Import LABEL DESCRIPTION File Path Type in the location o...

Page 169: ...e the certificate on the ZyXEL Device Cancel Click Cancel to quit and return to the My Certificates screen Table 57 My Certificate Import LABEL DESCRIPTION Table 58 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certi...

Page 170: ... generate and store a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen Section 14 9 on page 171 and then send it to the certification authority Create a certification request and enroll for a certificate immediately online Select ...

Page 171: ...tails Click CERTIFICATES My Certificates to open the My Certificates screen Figure 98 on page 166 Click the details button to open the My Certificate Details screen You can use this screen to view in depth certificate information and change the certificate s name In the case of a self signed certificate you can set it to be the one that the ZyXEL Device uses to sign the trusted remote host certifi...

Page 172: ...fault self signed certificate which signs the imported remote host certificates Select this check box to have the ZyXEL Device use this certificate to sign the trusted remote host certificates that you import to the ZyXEL Device This check box is only available with self signed certificates If this check box is already selected you cannot clear it in this screen you must select this check box in a...

Page 173: ...uthority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same as the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The ZyXEL Device uses rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Some certification authorities may use ras p...

Page 174: ... to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste ...

Page 175: ...ountry With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or...

Page 176: ...in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Table 61 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this fie...

Page 177: ... check box to have the ZyXEL Device not check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Certificate Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end enti...

Page 178: ...te has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the ke...

Page 179: ...il PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this button and then Save in the File Download...

Page 180: ...Chapter 14 Certificates ZyXEL NWA 3500 User s Guide 180 ...

Page 181: ...e log will wrap around and the old logs will be deleted Click a column heading to sort the entries A triangle indicates the direction of the sort order Figure 105 View Log The following table describes the labels in this screen Table 63 View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category To view all logs select All Logs ...

Page 182: ...arrants more serious attention Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts are displayed in red and logs are displayed in black Figure 106 Log Settings Notes This field displays additional information about the log entry Email Log Now Click Email Log Now to send the log screen to the e mail address sp...

Page 183: ...the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily Weekly Hourly When Log is Full Non...

Page 184: ...Login Fail Someone has failed to log on to the router s web configurator interface TELNET Login Successfully Someone has logged on to the router via telnet TELNET Login Fail Someone has failed to log on to the router via telnet FTP Login Successfully Someone has logged on to the router via FTP FTP Login Fail Someone has failed to log on to the router via FTP Table 66 ICMP Notes TYPE CODE DESCRIPTI...

Page 185: ...Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 67 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note This me...

Page 186: ...og category command to show the logs in an individual ZyXEL Device log category Use the sys logs clear command to erase all of the ZyXEL Device s logs 15 5 Log Command Example This example shows how to set the ZyXEL Device to record the error logs and alerts and then view the results ras sys logs load ras sys logs category error 3 ras sys logs save ras sys logs display access time source destinati...

Page 187: ...ce If a device is not a member of this VLAN then that device cannot manage the ZyXEL Device If no devices are in the management VLAN then you will be able to access the ZyXEL Device only through the console port not through the network 16 1 2 VLAN Tagging The ZyXEL Device supports IEEE 802 1q VLAN tagging Tagged VLAN uses an explicit tag VLAN ID in the MAC header of a frame to identify VLAN member...

Page 188: ...s traffic based on the configuration in the RADIUS VLAN screen When you use wireless VLAN and RADIUS VLAN together the ZyXEL Device first tries to assign VLAN IDs based on RADIUS VLAN configuration If a client s user name does not match an entry in the RADIUS VLAN screen the ZyXEL Device assigns a VLAN ID based on the settings in the Wireless VLAN screen See Section 16 2 4 on page 194 for more inf...

Page 189: ...ur network must belong to this VLAN group in order to manage the ZyXEL Device Note Mail and FTP servers must have the same management VLAN ID to communicate with the ZyXEL Device See Section 16 2 3 on page 191 for more information VLAN Mapping Table Use this table to have the ZyXEL Device assign VLAN tags to packets from wireless clients based on the SSID they use to connect to the ZyXEL Device In...

Page 190: ...ferent VLAN IDs This allows you to split wireless stations into groups using similar VLAN IDs Second Rx VLAN ID Enter a number from 1 to 4094 but different from the VLAN ID Traffic received from the LAN that is tagged with this VLAN ID is sent to all SSIDs with this VLAN ID configured in the VLAN ID or Second Rx VLAN ID fields See Section 16 2 5 on page 202 for more information Apply Click this to...

Page 191: ...figured in this screen can access the network through the ZyXEL Device VLAN Mapping Table Use this table to map names to VLAN IDs so that the RADIUS server can assign each user or user group a mapped VLAN ID See your RADIUS server documentation for more information on configuring VLAN ID attributes See Section 16 2 4 on page 194 for more information Index Select a check box to enable the VLAN mapp...

Page 192: ...5 Type a VLAN Group ID This should be the same as the management VLAN ID on the ZyXEL Device 6 Enable Tx Tagging on the port which you want to connect to the ZyXEL Device Disable Tx Tagging on the port you are using to connect to your computer 7 Under Control select Fixed to set the port as a member of the VLAN Figure 110 VLAN Aware Switch Static VLAN 8 Click Apply The following screen displays Fi...

Page 193: ... on page 192 1 In the ZyXEL Device web configurator click VLAN to open the VLAN setup screen 2 Select the Enable VLAN Tagging check box and type a Management VLAN ID 10 in this example in the field provided 3 Click Apply Figure 113 VLAN Setup 4 The ZyXEL Device attempts to connect with a VLAN aware device You can now access and mange the ZyXEL Device though the Ethernet switch If you do not connec...

Page 194: ... the string in the Tunnel Private Group ID attribute is considered as a number ID format for example 2493 The range of the number ID Name string is between 1 and 4094 4c If a or b are not matched the ZyXEL Device uses the VLAN ID configured in the WIRELESS VLAN screen and the wireless station This VLAN ID is independent and hence different to the ID in the VLAN screen 16 2 4 1 Configuring VLAN Gro...

Page 195: ...e defined This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group 1 Using the Remote Access Policy option on the Internet Authentication Service management interface create a new VLAN Policy for each VLAN Group defined in the previous section The order of the remote access policies is important The most specific policies should be placed...

Page 196: ...2 The Conditions window displays Select Add to add a condition for this policy to act on 3 In the Select Attribute screen click Windows Groups and the Add button Figure 117 Specifying Windows Group Condition 4 The Select Groups window displays Select a remote access policy and click the Add button The policy is added to the field below Only one VLAN Group should be associated with each policy 5 Cl...

Page 197: ...embership Click the Edit Profile button Figure 119 Granting Permissions and User Profile Screens 7 The Edit Dial in Profile screen displays Click the Authentication tab and select the Extensible Authentication Protocol check box Select an EAP type depending on your authentication needs from the drop down list box Clear the check boxes for all other authentication types listed below the drop down l...

Page 198: ... performed as a safeguard Figure 121 Encryption Tab Settings 9 Click the IP tab and select the Client may request an IP address check box for DHCP support 10 Click the Advanced tab The current default parameters returned to the ZyXEL Device should be Service Type and Framed Protocol Click the Add button to add an additional three RADIUS VLAN attributes required for 802 1X Dynamic VLAN Assignment ...

Page 199: ...m the list three RADIUS attributes will be added Tunnel Medium Type Tunnel Pvt Group ID Tunnel Type Click the Add button Select Tunnel Medium Type Click the Add button Figure 123 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays Select the 802 value from the Attribute value drop down list box Click OK ...

Page 200: ...o 4094 or a Name for this policy This Name should match a name in the VLAN mapping table on the ZyXEL Device Wireless stations belonging to the VLAN Group specified in this policy will be given a VLAN ID specified in the ZyXEL Device VLAN table Click OK Figure 125 VLAN ID Attribute Setting for Tunnel Pvt Group ID 15 Return to the RADIUS Attribute Screen shown as Figure 123 on page 199 Select Tunne...

Page 201: ... Click the Close button The completed Advanced tab configuration should resemble the following screen Figure 127 Completed Advanced Tab Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list ...

Page 202: ...is example SSID01 s second Rx VLAN ID is set to 2 All incoming packets tagged with VLAN ID 2 are forwarded to SSID02 and also to SSID01 However SSID02 has no second Rx VLAN ID configured and the ZyXEL Device forwards only packets tagged with VLAN ID 2 to it 16 2 5 1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the ZyXEL Device 1 Log into the Web Con...

Page 203: ...hows SSID03 tagged with a VLAN ID of 3 and a Second Rx VLAN ID of 4 Figure 129 Configuring SSID Second Rx VLAN ID Example 6 Click Apply to save these settings Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3 and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03 ...

Page 204: ...Chapter 16 VLAN ZyXEL NWA 3500 User s Guide 204 ...

Page 205: ...d for diagnostic purposes Figure 130 System Status The following table describes the labels in this screen Table 72 System Status LABEL DESCRIPTION System Name This is the System Name you can configure in the SYSTEM General screen It is for identification purposes ZyNOS Firmware Version This is the ZyNOS Firmware version and date created ZyNOS is ZyXEL s proprietary Network Operating System design...

Page 206: ...s LAN adaptor WLAN1 or WLAN2 Status This shows the port speed and duplex setting if you are using Ethernet encapsulation for the Ethernet port Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to send and receive simultaneously while half duplex indicates that traffic can flow in only one direction at a time The Ethernet port must use the ...

Page 207: ...of the bridge connection Active This shows whether the bridge connection is activated or not Remote Bridge MAC Address This is the MAC address of the peer device in bridge mode Status This shows the current status of the bridge connection which can be Up or Down TxPkts This is the number of transmitted packets on the wireless bridge RxPkts This is the number of received packets on the wireless bri...

Page 208: ...the ZyXEL Device s WLAN adaptors Link No This field displays the index number of a bridge connection on the WDS MAC Address This field displays a remote bridge MAC address Link Time This field displays the WDS link up time Security This field displays whether traffic on the WDS is encrypted TKIP or AES or not None Refresh Click Refresh to reload the screen Table 74 Association List LABEL DESCRIPTI...

Page 209: ...s the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad Hoc wireless network Signal This field displays the strength of the AP s signal If you must choose a channel that s currently in use choose one with low signal strength for minimum interference Network Mode Network mode in this screen refers to your wireless LAN ...

Page 210: ...ktop Figure 136 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen Figure 137 Firmware Upload Error 17 6 Configuration Screen See Chapter 24 on page 237 for information on how to transfer configuration files ...

Page 211: ...evious settings Click Backup to save the ZyXEL Device s current configuration to your computer 17 6 2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device 1 Do not turn off the ZyXEL Device while configuration file upload is in progress Table 77 Restore Configuration LABEL DESCRIPTION File Path Type in...

Page 212: ...d the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address 192 168 1 2 See your Quick Start Guide for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 141 Configuration Up...

Page 213: ...Device to its factory default settings Refer to Section 2 2 on page 44 for more information 17 7 Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off Click MAINTENANCE Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 143 Restart Screen ...

Page 214: ...Chapter 17 Maintenance ZyXEL NWA 3500 User s Guide 214 ...

Page 215: ...troducing the SMT 217 General Setup 223 LAN Setup 225 SNMP Configuration 227 System Password 229 System Information and Diagnosis 231 Firmware and Configuration File Maintenance 237 System Maintenance and Information 243 Troubleshooting 251 ...

Page 216: ...216 ...

Page 217: ...Terminal menus how to navigate the SMT and how to configure SMT menus 18 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 data ...

Page 218: ...alize ch 6 ethernet address 12 13 49 DF 42 A8 initialize ch 7 ethernet address 16 13 49 DF 42 A8 initialize ch 8 ethernet address 1A 13 49 DF 42 A8 initialize ch 9 ethernet address 1E 13 49 DF 42 A8 initialize ch 10 ethernet address 06 13 49 DF 42 A9 initialize ch 11 ethernet address 0A 13 49 DF 42 A9 initialize ch 12 ethernet address 0E 13 49 DF 42 A9 initialize ch 13 ethernet address 12 13 49 DF...

Page 219: ...art usually in the bottom left corner Run and then type telnet 192 168 1 2 the default IP address and click OK 2 For your first login enter the default password 1234 As you type the password the screen displays an asterisk for each character you type Figure 146 Login Screen 3 After entering the password you will see the main menu Please note that if there is no activity for longer than five minute...

Page 220: ...ur ZyXEL Device s various SMT menus 18 6 Navigating the SMT Interface The SMT System Management Terminal is the interface that you use to configure your ZyXEL Device Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL Table 78 SMT Menus Overview MENUS SUB MENUS 1 General Setup 3 LAN Setup 3 2 TCP IP Setup 22 SNMP Configuration 23 System Passwo...

Page 221: ...ext field respectively Entering information Type in or press SPACE BAR then press ENTER You need to fill in two types of fields The first requires you to type in the appropriate information The second allows you to cycle through the available choices by pressing SPACE BAR Required fields or ChangeMe All fields with the symbol must be filled in order to be able to save the new configuration All fie...

Page 222: ...eral Setup Use this menu to set up your general information 3 LAN Setup Use this menu to set up your LAN and WLAN connection 22 SNMP Configuration Use this menu to set up SNMP related parameters 23 System Password Use this menu to change your password 24 System Maintenance This menu provides system status diagnostics software upload etc 99 Exit Use this to exit the SMT ...

Page 223: ...ter 1 in the Main Menu to open Menu 1 General Setup as shown next Figure 149 Menu 1 General Setup Fill in the required fields Refer to the following table for more information about these fields Menu 1 General Setup System Name NWA 3500 Domain Name First System DNS Server None IP Address N A Second System DNS Server None IP Address N A Third System DNS Server None IP Address N A Table 81 Menu 1 Ge...

Page 224: ...ER These fields are not available on all models IP Address Enter the IP addresses of the DNS servers This field is available when you select User Defined in the field above When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 81 Menu 1 General Setup FIELD DESCRIPTION ...

Page 225: ...the LAN Setup menu is given in the next chapter 20 2 TCP IP Ethernet Setup Use menu 3 2 to configure your ZyXEL Device for TCP IP To edit menu 3 2 enter 3 from the main menu to display Menu 3 LAN Setup When menu 3 appears type 2 and press ENTER to display Menu 3 2 TCP IP Setup as shown next Figure 151 Menu 3 2 TCP IP Setup Menu 3 LAN Setup 2 TCP IP Setup Enter Menu Selection Number Menu 3 2 TCP IP...

Page 226: ...o your network and the gateway IP address if applicable IP Address Enter the LAN IP address of your ZyXEL Device in dotted decimal notation IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyXEL Device Gateway IP Address Type the IP address of the gateway ...

Page 227: ...mmunity public Trusted Host 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 83 Menu 22 SNMP Configuration FIELD DESCRIPTION SNMP Get Community Type the Get Community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set Community which is the password for incoming Set requests from the ...

Page 228: ...address of the station to send your SNMP traps to When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to cancel to save your configuration or press ESC to cancel and go back to the previous screen Table 83 Menu 22 SNMP Configuration FIELD DESCRIPTION ...

Page 229: ...ou can configure the system password in this menu Figure 153 Menu 23 System Security You should change the default password If you forget your password you have to restore the default configuration file Refer to Section 18 4 on page 219 and Section 2 2 on page 44 Menu 23 System Security 1 Change Password 5 Security Profile Edit Enter Menu Selection Number ...

Page 230: ...Chapter 22 System Password ZyXEL NWA 3500 User s Guide 230 ...

Page 231: ... shown next System Status is a tool that can be used to monitor your ZyXEL Device Specifically it gives you information on your Ethernet and Wireless LAN status and the number of packets sent and received To get to System Status type 24 to go to Menu 24 System Maintenance From this menu type 1 There are two commands in Menu 24 1 System Maintenance Status Entering 9 resets the counters pressing ESC...

Page 232: ... and WLAN 2 Status This shows the status of the remote node TxPkts This is the number of transmitted packets to this remote node RxPkts This is the number of received packets from this remote node Cols This is the number of collisions on this connection Tx B s This shows the transmission rate in bytes per second Rx B s This shows the receiving rate in bytes per second Up Time This is the time this...

Page 233: ...er 1 in menu 24 2 to display the screen shown next Figure 157 Menu 24 2 1 System Information Information The following table describes the fields in this menu Menu 24 2 System Information and Console Port Speed 1 System Information 2 Console Port Speed Please enter selection Menu 24 2 1 System Maintenance Information Name NWA 3500 Routing BRIDGE ZyNOS F W Version V3 60 AAI 0 b1 05 25 2005 Country ...

Page 234: ...e procedures to view the local error trace log 1 Type 24 in the main menu to display Menu 24 System Maintenance 2 From menu 24 type 3 to display Menu 24 3 System Maintenance Log and Trace ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation Country Code Refers to the country code of the firm...

Page 235: ...iagnostic Follow the procedure next to display this menu 1 From the main menu type 24 to open Menu 24 System Maintenance 2 From this menu type 4 to open Menu 24 4 System Maintenance Diagnostic Menu 24 3 System Maintenance Log and Trace 1 View Error Log Please enter selection 55 Sat Jan 1 00 00 00 2000 PP05 ERROR Wireless LAN init fail code 1 56 Sat Jan 1 00 00 01 2000 PP07 INFO LAN promiscuous mod...

Page 236: ...u 24 4 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working DHCP Release Release the IP address assigned by the DHCP server DHCP Renewal Get a new IP address from the DHCP server Reboot System Reboot the ZyXEL Device Host IP Address If you typed 1 to Ping Host now type the address of the computer you want t...

Page 237: ... your computer under a filename of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the ZyXEL Device ftp get rom 0 c...

Page 238: ... your computer to the ZyXEL Device 24 2 1 Using the FTP command from the DOS Prompt 1 Launch the FTP client on your computer 2 Enter open and the IP address of your ZyXEL Device 3 Press ENTER when prompted for a username 4 Enter root and your SMT password as requested The default is 1234 5 Enter bin to set transfer mode to binary 6 Use get to transfer files from the ZyXEL Device to the computer fo...

Page 239: ...T timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute SMT timeout default when the file transfer is complete 4 Launch the TFTP client on your computer and connect to the ZyXEL Device Set the transfer mode to binary before starting data transfer 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port ...

Page 240: ...figuration via FTP or TFTP to your ZyXEL Device The preferred method is FTP Note that this function erases the current configuration before restoring the previous backup configuration please do not attempt to restore unless you have a backup configuration stored on disk To restore configuration using FTP or TFTP is the same as uploading the configuration file please refer to the following sections...

Page 241: ...as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To transfer the firmware and the configuration file follow the procedure shown next 1 Use telnet from your computer to connect to the ZyXEL Device and log in Because TFTP does not have any security checks the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from thi...

Page 242: ...ter put the other way around and binary to set binary transfer mode 24 3 3 Example TFTP Command The following is an example TFTP command TFTP i host put firmware bin ras where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyXEL Device s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the...

Page 243: ... disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished 1 Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 164 Menu 24 System Maintenance Menu 24 S...

Page 244: ...isabling and configuring the brute force password guessing protection mechanism for the password 25 1 3 1 Configuring Brute Force Password Guessing Protection Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Copyright c 1994 2005 ZyXEL Communications Corp NWA 3500 Valid commands are ...

Page 245: ...mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start Date mm nth week hr 01 01 End Date mm nth week hr 01 01 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 91 System Maintenance Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your time server sends when you turn on the ZyXEL Device Not all time servers support all protocols so ...

Page 246: ...l of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ...

Page 247: ...line help for details 25 3 4 Remote Management Setup Remote management setup is for managing Telnet FTP and Web services You can customize the service port access interface and the secured client IP address to enhance security and flexibility You can manage your ZyXEL Device from a remote location via Internet WLAN only the LAN only All LAN and WLAN or Disable neither If you enable remote manageme...

Page 248: ...te management service You can change the port number for a service if needed but you must use the same port number to use that service for remote management Access Select the access interface if any by pressing the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely manage the ZyXEL D...

Page 249: ...ssion of the same type Telnet FTP or Web running You may only have one remote management session of the same type running at one time 4 There is a web remote management session running with a Telnet session A Telnet session will be disconnected if you begin a web session it will not begin if there already is a web session 25 4 System Timeout There is a system timeout of five minutes 300 seconds fo...

Page 250: ...Chapter 25 System Maintenance and Information ZyXEL NWA 3500 User s Guide 250 ...

Page 251: ... is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the power adaptor or cord to the ZyXEL Device 4 If the problem continues contact the vendor V One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of the LED See Section 1 6 on page 40 2 Check the hardware connecti...

Page 252: ...nd have forgotten it see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device 2 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 6 on page 40 3 Make sure your Internet browser does not block pop up windows and has JavaScripts and Java enabled See Section 26 1 on page 251 4 Make sure your computer is i...

Page 253: ...4 V I cannot access the SMT See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser V I cannot access the ZyXEL Device via the console port 1 Check to see if the ZyXEL Device is connected to your computer s console port 2 Check to see if the communications program is configured correctly The communications so...

Page 254: ...nd make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 6 on page 40 2 Reboot the ZyXEL Device 3 If the problem continues contact your ISP V The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 6 on page 40 If the ZyXEL Device is sending or receiving a lot of information try closing some...

Page 255: ...pecifications 259 Power Adaptor Specifications 261 Setting up Your Computer s IP Address 263 Wireless LANs 275 Pop up Windows JavaScripts and Java Permissions 289 IP Addresses and Subnetting 295 Text File Based Auto Configuration 303 Legal Information 311 Customer Support 315 Index 319 ...

Page 256: ...256 ...

Page 257: ...XEL Device the antenna on the right is used by wireless LAN adaptor WLAN1 and the antenna on the left is used by wireless LAN adaptor WLAN2 Operation Temperature 0 50 º C Storage Temperature 30 60 º C Operation Humidity 10 90 non condensing Storage Humidity 5 95 non condensing Dimensions 212 5mm x 138 5mm x 52mm Distance between the centers of wall mounting holes on the device s back 80 mm Screw s...

Page 258: ...obtain confidential user information such as credit card numbers By convention URLs that require an SSL connection start with https instead of http The ZyXEL Device allows SSL connections to take place through the ZyXEL Device MAC Address Filter Your ZyXEL Device checks the MAC address of the wireless station against a list of allowed or denied MAC addresses Wireless Association List With the wire...

Page 259: ...ust comply to IEEE 802 3af 7 Table 95 Power over Ethernet Injector Specifications Power Output 15 4 Watts maximum Power Current 400 mA maximum Table 96 Power over Ethernet Injector RJ 45 Port Pin Assignments PIN NO RJ 45 SIGNAL ASSIGNMENT 1 Output Transmit Data 2 Output Transmit Data 3 Receive Data 4 Power 5 Power 6 Receive Data 7 Power 8 Power 1 2 3 4 5 6 7 8 ...

Page 260: ...Appendix B Power over Ethernet PoE Specifications ZyXEL NWA 3500 User s Guide 260 ...

Page 261: ...wer 100 240 Volts AC 50 60 Hz 0 5 A Output Power 12 Volts DC 1 5 A 18 W Power Consumption 6 W Max Safety Standards TUV GS CE EN 60950 Table 99 United Kingdom Plug Standards AC Power Adaptor Model ADS6818 1812 D 1215 Input Power 100 240 Volts AC 50 60 Hz 0 5 A Output Power 12 Volts DC 1 5 A 18 W Power Consumption 6 W Max Safety Standards TUV GS BS EN 60950 Table 100 Australia and New Zealand Plug S...

Page 262: ...Appendix C Power Adaptor Specifications ZyXEL NWA 3500 User s Guide 262 ...

Page 263: ...f a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP add...

Page 264: ... then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select...

Page 265: ...c select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 170 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information ...

Page 266: ... to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subne...

Page 267: ...NWA 3500 User s Guide 267 Figure 172 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 173 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 268: ...al tab in Win XP and click Properties Figure 175 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 269: ...tings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished 7 In the Internet Protocol TCP I...

Page 270: ...operties window 10 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel ...

Page 271: ... Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 179 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually ...

Page 272: ...configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 180 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Etherne...

Page 273: ...From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 274: ...Appendix D Setting up Your Computer s IP Address ZyXEL NWA 3500 User s Guide 274 ...

Page 275: ...dependent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 182 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is ...

Page 276: ... wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the...

Page 277: ...ly overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within ra...

Page 278: ...e requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake I...

Page 279: ... it and to provide more efficient communications Select Dynamic to have the AP automatically use short preamble when wireless adapters support it otherwise the AP uses long preamble The AP and the wireless adapters MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can ...

Page 280: ...advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or th...

Page 281: ...oint and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to t...

Page 282: ...e wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the...

Page 283: ...s stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a ...

Page 284: ...ed with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that...

Page 285: ...nt s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every dat...

Page 286: ...s RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Table 104 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP...

Page 287: ...an isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus ...

Page 288: ...d so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area ...

Page 289: ...ternet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 188 Pop up Blocker You...

Page 290: ...ny web pop up blockers you may have enabled Figure 189 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 291: ...Guide 291 Figure 190 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 191 Pop up Blocker Settings ...

Page 292: ...isplay properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 192 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 C...

Page 293: ...ettings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window Figure 194 Security Settings Java ...

Page 294: ...Permissions ZyXEL NWA 3500 User s Guide 294 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 195 Java Sun ...

Page 295: ...t share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of fo...

Page 296: ...in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred ...

Page 297: ...wed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet mas...

Page 298: ... shows the company network before subnetting Figure 197 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the com...

Page 299: ...168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits givin...

Page 300: ...Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 112 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 1...

Page 301: ...OST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 115 16 bit Network Number Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16...

Page 302: ...ou entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers...

Page 303: ...he wireless LAN settings on multiple APs The AP can automatically get a configuration file from a TFTP server at startup or after renewing DHCP client information Figure 199 Text File Based Auto Configuration Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download You ca...

Page 304: ... the following command to manually configure a TFTP server IP address and a file name for the AP to use for auto provisioning whenever the AP starts up See Section 25 1 on page 243 for how to access the Command Interpreter CI Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP Use the following procedure to have the AP download the configuration file Table...

Page 305: ...ersion of the downloaded file is the same or smaller older the AP ignores the file If the version of the downloaded file is larger newer the AP uses the file Configuration File Rules You can only use the wlan and wcfg commands in the configuration file The AP ignores other ZyNOS commands but continues to check the next command The AP ignores any improperly formatted commands and continues to check...

Page 306: ...must use the store compression method and a zip file extension When zipping a configuration file you can also add password protection using the same password that you use to log into the AP Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles Figure 201 WEP Configuration File Example Table 121 Displaying the Auto Co...

Page 307: ...adius 2 primary 172 23 3 4 1812 1234 enable wcfg radius 2 backup 172 23 3 5 1812 1234 enable wcfg radius save wcfg ssid 2 name ssid 8021x wcfg ssid 2 security Test 8021x wcfg ssid 2 radius radius rd wcfg ssid 2 qos 4 wcfg ssid 2 l2isolation disable wcfg ssid 2 macfilter disable wcfg ssid save ZYXEL PROWLAN VERSION 13 wcfg security 3 name Test wpapsk wcfg security 3 mode wpapsk wcfg security 3 pass...

Page 308: ... that the commands are applied in order So for example you would place the commands that create security and SSID profiles before the commands that tell the AP to use those profiles ZYXEL PROWLAN VERSION 14 wcfg security 4 name Test wpa wcfg security 4 mode wpa wcfg security 4 reauthtime 1800 wcfg security 4 idletime 3600 wcfg security 4 groupkeytime 1800 wcfg security save wcfg radius 4 name radi...

Page 309: ...ame ssid wpapsk wcfg ssid 3 security Test wpapsk wcfg ssid 4 name ssid wpa2psk wcfg ssid 4 security Test wpa2psk wcfg ssid save line starting with is comment change to channel 8 wlan chid 8 change operating mode AP mode then select ssid wep as running WLAN profile wlan opmode 0 wlan ssidprofile ssid wep change operating mode MBSSID mode then select ssid wpapsk ssid wpa2psk as running WLAN profiles...

Page 310: ...Appendix H Text File Based Auto Configuration ZyXEL NWA 3500 User s Guide 310 ...

Page 311: ...otice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the foll...

Page 312: ...r environment IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons 注意 依據 低功率電波輻射性電機管理辦法 第十二條 經型式認證合格之低功率射頻電機 非經許可 公司 商號或使用 者均不得擅自變更頻率 加大功率或變更原設計之特性及功能 第十四條 低功率射頻電機之使用不得影響飛航安全及干擾合法通...

Page 313: ...d with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or conseque...

Page 314: ...Appendix I Legal Information ZyXEL NWA 3500 User s Guide 314 ...

Page 315: ...8 2439 Web Site www zyxel com www europe zyxel com FTP Site ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web Site www zyxel co cr FTP Site ftp zyxel co cr Regular Mail ZyXEL Costa Rica Plaza Roble Escazú...

Page 316: ...inki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web Site www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web Site www zyxel de Regular Mail ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany...

Page 317: ...001 U S A Norway Support E mail support zyxel no Sales E mail sales zyxel no Telephone 47 22 80 61 80 Fax 47 22 80 61 81 Web Site www zyxel no Regular Mail ZyXEL Communications A S Nils Hansens vei 13 0667 Oslo Norway Poland E mail info pl zyxel com Telephone 48 22 333 8250 Fax 48 22 333 8251 Web Site www pl zyxel com Regular Mail ZyXEL Communications ul Okrzei 1A 03 715 Warszawa Poland Russia Sup...

Page 318: ...mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web Site www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 1344 303044 08707 555779 UK only Fax 44 1344 303034 Web Site www zyxel co uk FTP Site ftp zyxel co uk Regular M...

Page 319: ... 211 Basic Service Set 87 see BSS bridge 34 35 Bridge Protocol Data Units BPDUs 93 Bridge Repeater 33 34 BSS 36 87 275 BSSID 33 C CA 282 Certificate Authority See CA certificates 158 thumbprint algorithms 164 thumbprints 164 verifying fingerprints 164 certifications 311 notices 312 viewing 313 channel 33 277 interference 277 CI commands 244 Class of Service CoS 91 collision 232 command interface 3...

Page 320: ...flow control 217 fragmentation threshold 278 friendly AP list 144 FTP 38 147 149 249 restrictions 147 249 G general setup 81 223 guest SSID 37 H hidden menus 221 hidden node 277 honeypot attack 142 host 83 humidity 257 I IANA 302 IBSS 275 IEEE 802 11g 279 IEEE 802 1x 33 in band management 191 Independent Basic Service Set 208 see IBSS initial screen 217 initialization vector IV 284 installation 33...

Page 321: ...airwise Master Key PMK 284 285 password 82 218 219 227 257 path cost 93 Per Hop Behavior 91 PHB Per Hop Behavior 92 ping 236 PoE 259 power specifications 257 259 preamble mode 279 pre configured profiles 37 priorities 89 prioritization 33 private IP address 137 product registration 313 PSK 284 Q QoS 33 125 Quick Start Guide 43 R radio 33 RADIUS 280 message types 281 messages 281 shared secret key ...

Page 322: ...ntax conventions 4 system console port speed 234 diagnostic 235 log and trace 234 system information 233 system status 231 time and date 245 system information 233 system information diagnosis 231 system maintenance 231 233 239 241 243 245 system name 81 system timeout 147 249 T tagged VLAN example 191 TCP IP 236 247 telnet 148 246 telnet configuration 246 247 telnet under NAT 247 temperature 257 ...

Page 323: ...s modules dual 33 wireless security 36 103 279 WLAN 39 interference 277 security parameters 286 WLAN interface 33 WMM 125 WPA 33 104 283 key caching 284 pre authentication 284 user authentication 284 vs WPA PSK 284 wireless client supplicant 285 with RADIUS application example 285 WPA with RADIUS application 106 WPA2 33 283 user authentication 284 vs WPA2 PSK 284 wireless client supplicant 285 wit...

Page 324: ...Index ZyXEL NWA 3500 User s Guide 324 ...

Reviews: